comment: # (…or by running the Makefile with “make”) comment: # (mdslides can be installed from https://github.com/dadoomer/markdown-slides/)

comment: # (width: “1440”) comment: # (height: “810”) comment: # (help: true) comment: # (progress: true) comment: # (controlsBackArrows: “true”)

CPAN Security and Sustainability in light of the EU Cyber Resilience Act

German Perl Workshop 2025

Salve J. Nilsen

🐘 Mastodon — @sjn\@chaos.social

Note:

  • This talk is more about the future of open source communities, than the present

(Not a lawyer)

comment: # (     data-auto-animate)

(Not a ~lawyer~)

  • (Also, not an “authority”)
comment: # (     data-auto-animate)

(Not a ~lawyer~)

  • (Also, not an ~”authority”~)
  • I’m a volunteer

Cyber Resilience Act – ★ – 10th Dec 2024

comment: # (     data-auto-animate)

Cyber Resilience Act – ★ – 10th Dec 2024

  • Into effect: December 10th 2024
  • Main obligations: December 11th 2027
  • Reporting obligations: September 11th 2026
> * Council adoption [announcement](https://www.consilium.europa.eu/en/press/press-releases/2024/10/10/cyber-resilience-act-council-adopts-new-law-on-security-requirements-for-digital-products/) – 2024-10-10 > * Obligations apply from… – [Article 71(2)]
comment: # (     data-auto-animate)

CRA Fines

> Supplying **incorrect**, **incomplete** or **misleading** information may be fined up to 5M EUR or 1% of global turnover
> — Cyber Resilience Act, [Article 64(4)],
w.r.t. metadata described in [Annex II],
as required in [Article 13(18)]

Notes:

  • There are more fines! See Article 64.
comment: # (     data-auto-animate)

CRA TL;DR

  1. Shift responsibility to the Manufacturer
  2. Make security updates free
  3. Add CE marking on products with software
  4. Importers and Distributors become liable
  5. Securing the software supply chain is mandatory
  6. Risk-based security in products
  7. Open Source is affected
  8. Maintaining a Software Bill of Materials is mandatory
  9. All products are affected
comment: # (     data-auto-animate)

CRA is a…

  • A product legislation, intended to…
  • …ensure Products with Digital Elements are safe before placement on the market
  • …with the intention to increase the general Cybersecurity across Europe

Note:

comment: # (     )

CRA applies to…

  • Manufacturers
    • …placing Products with Digital Elements on the EU market
    • …in the course of a commercial activity
> * Background: [Recital 15](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=17) > * Placing on the market: [Article 3 (21)](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=140)

Note:

comment: # (     )

Products with Digital Elements are…

  • Connected devices,
  • Non-tangible digital products,
  • […their] remote data processing solutions,
  • […and] related systems and services needed for operation
> * Background: [Recital 9](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=10) > * Product with Digital Elements: [Article 3 (1), (4), (6), (7)](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=136)

Note:

  • routers, cameras, fridges, toys, etc.
  • apps or any device that is connected to the network
  • Anything which has software may be affected!
comment: # (     )

CRA does not apply to…

  • Software that is purely part of a service*
  • Software that is covered by other regulation
  • Software that is Open Source*
> * [Recital 12](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=13) > * [Recital 18](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=21)

Notes:

  • NIS2, AI Act, Medical device regulations, DORA (Fintech)

Five “Roles”

  • Manufacturer
  • Distributor, Importer, Market Authorities
  • Open Source Software Steward
comment: # (     data-auto-animate)

~Five~ Six “Roles”

  • Manufacturer
  • Distributor, Importer, Market Authorities
  • Open Source Software Steward
  • Open Source Developers*
comment: # (     data-auto-animate)

Six “Roles”

  • Manufacturer
  • Distributor, Importer, Market Authorities ❌
  • Open Source Software Steward
  • Open Source Developers*
comment: # (     data-auto-animate)

Six “Roles”

  • Manufacturer 🔍
  • Distributor, Importer, Market Authorities ❌
  • Open Source Software Steward
  • Open Source Developers*
comment: # (     data-auto-animate)

Manufacturer

  • A natural or legal person who…
    • develops or manufactures products with digital elements, or
    • has products designed, developed or manufactured, and
    • markets them under its name or trademark,
    • …whether for payment, monetisation or free of charge
> * [Article 3] (12) > * [Article 3] (13)
comment: # (     )

Obligations of Manufacturers
— Conformance

CE Mark

  • Place a CE mark on the product
    • …stating cybersecurity requirements have been demonstrated
  • Manufacturer assumes responsibility for compliance
> * [Article 28(1)] - …stating that cybersecurity requirements in [Annex I] has been demonstrated > * [Article 28(4)] - Assume responsibility for compliance > * [Annex I] - Cybersecurity requirements

Note:

  • “I am following EU Law”
  • “Presumption of Conformance” when following EU Standards
comment: # (     )

Obligations of Manufacturers
— Conformance

  • Default: Self-assessment
  • Open Source: Self-assessment
  • Important:
    • Follow harmonized standards -> Presumption of conformance
    • 3rd-party assessment
  • Critical: EU certification
> * [Article 32] - Conformity assessment procedures > * [Article 7] - Important products > * [Article 8] - Critical products > * [Article 27] - Presumption of conformance > * [Annex I, Part I] - Cybersecurity requirements > * [Annex III] - Important products (Class I and II) examples > * [Annex IV] - Critical products examples

Note:

  • Self-assessment for most cases (~90%)
  • “Presumption of Conformance” when following EU Standards
  • Important I: Browsers; ID management; Virus scanners; Network management systems; OSes
  • Important II: Hypervisors; Firewalls; Tamper-resistant microcontrollers
  • Critical: Smartcards; Smart metering systems;
comment: # (     )

— Support period

  • Default is 5 years; Can be longer or shorter
  • Security fixes must remain available for 10 years after issuing
> * [Article 13(8)] - Vulnerabilities are handled for 5 years > * [Article 13(9)] - Security updates available for 10 years
comment: # (     )

— Build & Dependencies

  • Identify and document vulnerabilities and components contained in products
  • Describe how the product is put together
> * [Annex I, Part I] (1) – Design and develop products with appropriate levels of cybersecurity > * [Annex VII] 2 (a) – Describe how software components build on or feed into each other and integrate
comment: # (     )

— Produce SBOMs

  • Produce SBOMs upon request by regulators
  • At minimum, top-level dependencies
> * [Recital (22)] – Market surveillance authorities can request SBOMs > * [Annex I, Part II] (1) – identify and document […] components […] by drawing up a software bill of materials

Note:

  • “covering at the very least the top-level dependencies of the products” – is a trap!
comment: # (     )

— No Vulnerabilities

  • Product is secure by default, and secure by design
  • Product has no known vulnerabilities
  • 😍 Exercise due diligence when integrating third party components
  • 😍 Report vulnerabilities to the Manufacturer or Open Source maintainer
> * [Article 13(1)] – Develop in accordance with essential cybersecurity requirements > * [Annex I, Part I] (2) (a) – without known exploitable vulnerabilities > * [Article 13(5)] – Exercise due diligence when integrating, including FOSS > * [Article 13(6)] – Share relevant code or documentation with the supplier or maintainer of the component > * [Recital (65)] – Notify of severe incidents or actively exploited vulnerabilities

Note:

  • Due diligence – to avoid or fix the components that compromise security
comment: # (     )

— Offer timely security updates

  • Make security updates available for the duration of the support period
  • Ensure vulnerabilities can be addressed through security updates
> * [Article 13(8)] – Vulnerabilities are handled for 5 years > * [Annex I, Part II] – Vulnerability handling requirements > * [Annex I, Part I] (2) (c) – vulnerabilities addressed through security updates

Note:

  • Address vulnerabilities in a timely manner
comment: # (     )

— More!

  • Manufacturer is clearly identified
  • Single point of contact
  • Product has a unique ID
  • Take part in the EU early warning notification regime
> * [Article 13(16)] – Manufacturer name > * [Article 13(17)] – Single point of contact > * [Article 13(15)] – Product ID > * [Article 14(1)] – Notify of exploited vulnerabilities

Six “Roles”

  • Manufacturer 🔍
  • Distributor, Importer, Market Authorities ❌
  • Open Source Software Steward
  • Open Source Developers*
comment: # (     data-auto-animate)

Six “Roles”

  • Manufacturer ✅
  • Distributor, Importer, Market Authorities ❌
  • Open Source Software Steward 🔍
  • Open Source Developers*
comment: # (     data-auto-animate)

Open Source Software Steward 🆕

comment: # (     data-auto-animate)

OSS Stewards

  • EU Commission has been creative
  • A new organization, with several roles to play
  • Perl, CPAN, Raku communities affected
comment: # (     data-auto-animate)

OSS Stewards are…

  • legal persons who provide support on a sustained basis for OSS products, and
    • …play a main role in ensuring the viability of those products
    • …only cover OSS software that are
      • …ultimately intended for commercial activities
> * [Article 3] (14) – Definition > * [Recital (19)] – Play a main role; …intended for commercial…
comment: # (     data-auto-animate)

OSS Stewards are…

  • Sustained support includes (but not limited to)…
    • hosting development collaboration platforms
    • hosting of source code
    • governing or managing of open source software products
    • steering of the development of such products
> * [Recital (19)] – Sustained support
comment: # (     data-auto-animate)

OSS Stewards are obliged to

  • …facilitate Manufacturer’s due diligence obligations
  • …provide a cybersecurity policy & documentation
  • …cooperate with market surveillance authorities
  • …notify designated CSIRT on…
    • actively exploited vulnerabilities
    • severe incidents
  • …notify users on…
    • incidents and exploited vulnerabilities
> * [Article 24] – OSS Steward obligations > * [Article 13(5)] – Due diligence obligations > * [Article 15] – Security policy > * [Article 24(2)] – Market surveillance authorities > * [Article 14(1)] – Notify on exploited vulnerabilities > * [Article 14(3)] – Notify market authorities on any severe incidents > * [Article 14(8)] – Notify users on actively exploited vulnerabilities

Notes:

  • …cybersecurity policy for voluntary reporting of vulnerabilities
  • …notify designated CSIRT to the extent the Steward is involved
comment: # (     data-auto-animate)

OSS Stewards attest…

OSS Software may get a voluntary security attestation…

  • …using an EU Attestation program
  • …in such a way that this can be initiated or financed by not only
    • FOSS projects, but also by others, including
    • manufacturers,
    • users, or
    • public administrations.
> * [Article 25] – Security attestation of free and open-source software > * [Recital (21)] – EU Attestation program

Six “Roles”

  • Manufacturer ✅
  • Distributor, Importer, Market Authorities ❌
  • Open Source Software Steward 🔍
  • Open Source Developers*
comment: # (     data-auto-animate)

Six “Roles”

  • Manufacturer ✅
  • Distributor, Importer, Market Authorities ❌
  • Open Source Software Steward ✅
  • Open Source Developers* 🔍
comment: # (     data-auto-animate)

Open Source Developers

  • CRA doesn’t really talk about Open Source Developers
comment: # (     )

Obligations to Open Source Developers
– Status Quo

  • CRA does not apply to Developers that…
    • contribute code to projects they are not responsible for
    • are not monetising the product
    • make a product that is ultimately not intended for commercial activities
> * [Recital (18)](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=20)) > * [Recital (19)](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=22))
comment: # (     )

– With an Open Source Steward

  • CRA applies voluntarily if the Developer decides…
    • their product is ultimately intended for commercial activities
> * [Recital (19)](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=22)
comment: # (     )

Six “Roles”

  • Manufacturer ✅
  • Distributor, Importer, Market Authorities ❌
  • Open Source Software Steward ❌
  • Open Source Developers 🔍
comment: # (     data-auto-animate)

Six “Roles”

  • Manufacturer ✅
  • Distributor, Importer, Market Authorities ❌
  • Open Source Software Steward ❌
  • Open Source Developers ✅

How will this affect Open Source?

comment: # (     data-auto-animate)

How will this affect Open Source?

  • Open Source is not a “group” or a “community”

Note:

comment: # (     data-auto-animate)

How will this affect Open Source?

  • Open Source is not a “group”
  • Open Source is a Universal Phenomenon
comment: # (     data-auto-animate)

How will this affect Open Source?

  • Open Source is not a “group”
  • Open Source is a Universal Phenomenon
  • Open Source is the act of…
    • Cooperatively building our digital infrastructure
comment: # (     data-auto-animate)

How will this affect ~Open Source~ all of us?

comment: # (     )

How will this affect all of us?

  • The CRA offers many challenges for a messy world
  • It’s up to volunteers and users (us!) to improve it
  • ~”If it ain’t broke, don’t fix it”~
  • Don’t be a bystander – volunteer – cooperate
comment: # (     )

Volunteer!

Thanks!

Salve J. Nilsen

🐘 Mastodon — @sjn\@chaos.social

🦆🦆🦆

Questions & Comments

Note:

  • “Permissionless Innovation”
  • “Being a Good Open Source Citizen”
  • We already know that being a bystander doesn’t work – better to step up instead!